CSRSS injection

c++ / delphi package - dll injection and api hooking

CSRSS injection

Postby wassily » Wed Dec 16, 2015 8:33 pm

I have seen the topic with the Vista csrss.exe injection issue but I can't inject my hook into csrss.exe at all, not in XP, not in Windows 7. I've created TestHook.exe calling LoadInjectionDriver / InjectLibraryW:
Code: Select all
int _tmain(int argc, _TCHAR* argv[])
{
   InitializeMadCHook();
   if (LoadInjectionDriver(L"TestHk", L"TestHk.sys", L"TestHk64.sys"))
   {
      BOOL injectResult = InjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
      wprintf(L"InjectLibraryW: %s; error: %d\n", injectResult ? L"OK" : L"FAILED", GetLastError());
      if (injectResult)
      {
         wprintf(L"Press any key to uninject\n");
         _getwch();
         BOOL uninjectResult = UninjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
         wprintf(L"UninjectLibraryW: %s; error: %d\n", uninjectResult ? L"OK" : L"FAILED", GetLastError());
      }
      StopInjectionDriver(L"TestHk");
   }
   else
      wprintf(L"LoadInjectionDriver error");
   return 0;
}

and a Visual Studio template TestHk.dll extended with a simple OutputDebugString(L"TestHk LOADED\n") call in DllMain / DLL_PROCESS_ATTACH (so TestHk.dll only has kernel32.dll imports).
If I remove the InjectLibraryW pIncludeMask parameter (L"csrss.exe" -> NULL) I can see the message being printed from winlogon,svhost and other system processes but not csrss.exe. I plan to hook csrss.exe->csrsrv.dll!CsrCreateProcess.
What am I doing wrong?
wassily
 
Posts: 12
Joined: Sun Dec 16, 2012 6:37 pm

Re: CSRSS injection

Postby iconic » Wed Dec 16, 2015 9:15 pm

Hello,

I did this many years ago (6???) and posted my code on this forum. A few things to note, CSRSS is now a protected process on Windows (8?)8.1. That means you'll definitely not be able to even open this process with adequate injection rights and load a hook DLL from userspace, even kernel mode injection of a DLL on disk will fail since protected processes use code integrity checks for loaded modules. Pre-Windows 8/8.1 it was easily feasible by enabling the SeDebugName privilege and injecting into CSRSS. As I mentioned years ago in my original post, each session (including terminal services) have their own instance of CSRSS so each instance would need to be injected and CsrCreateProcess hooked. It's easier to just use a driver to get notifications of newly created processes plus there is the benefit of added security (kind of funny considering you need admin rights to inject into CSRSS as well as the actual loading of a driver, one is just easier to tamper with) and with a kernel driver nobody can just remove it without hacking into kernel space. My intention for the post was to create a backup system-wide injection method (all from usermode) with minimal work for the coder, one which didn't require a driver and all of these newfound "signing" problems we're now seeing with the SHA-1 phaseout

Original link is here viewtopic.php?t=5205

P.S: Vista didn't truly introduce the concept of process session isolation, XP also had it (Fast User Switching based on Terminal Services logic) - it's the same concept and requires a separate instance of CSRSS to be spawned and oversee the new session's thread and process objects. Opt for a more secure and simple solution, use a kernel callback for process creations. It's a lot less work, unless you've no system-level development experience

--Iconic
iconic
Site Admin
 
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: CSRSS injection

Postby wassily » Wed Dec 16, 2015 10:52 pm

Hello,
thank you for your explanations, guess I'm just gonna give up with the csrss hook and learn more about the PsSetCreateProcessNotifyRoutine way
wassily
 
Posts: 12
Joined: Sun Dec 16, 2012 6:37 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 21 guests